If there’s one thing I can’t stand, it’s development teams using Excel spreadsheets to keep track of their application vulnerabilities. There’s really no justification for it. Adding or modifying any new data requires locating the appropriate cells, entering or changing the information, merging cells, and formatting them. And let’s not forget: all this has to be done manually. Spreadsheets might have been great before there were any alternatives, but it’s 2020, people. if nothing else, we have far better ways to manage vulnerabilities.
Which brings me to Jira by Atlassian. Although it has all kinds of uses today (including project management), when it was created in 2003, Jira was built for tracking and managing bugs throughout the application development process. It’s still used for that today, and that’s what we’re going to talk about in this article.
Tracking security issues is an essential part of the application development process, because once the security team hands over their vulnerability reports, it’s really up to the devs to handle the vulnerabilities. How can you be sure that one recurring vulnerability is ironed out before the release tomorrow? Which vulnerability needs to be fixed more urgently than the others? Jira can help you with these problems, and streamline the vulnerability remediation process.
Here are some of the most important ways Jira can help with app development:
Fixing security issues before they enter production
One of the worst things that could happen is if the security team found a vulnerability, put it in their report, and the dev team just…didn’t see it. That’s why it’s important to have a system where you log all of your security issues as separate tasks in one place, fixing them one at a time. Jira makes it possible to do that.
Prevent overlap of effort
This is especially common in larger teams and organisations: two or more people take up the same set of tasks at the same time independently of each other. Usually, this sort of confusion is a result of poor communication (or lack thereof) among team members. In Jira, each vulnerability or ’task’ is assigned to an individual, ensuring people don’t end up wasting time doing the same thing.
Smarter decisions on tooling/training for the team
Knowing more about your apps and their vulnerabilities can actually help management make smarter decisions about what kind of application security training the dev and security teams might need. Well-trained developers make appsec more efficient, and apps more secure.
Compliance with GDPR and other legal guidelines
With new laws and security guidelines becoming mainstream in the legal system of many countries, their governments have also been taking a more active interest in protecting people’s sensitive information from being leaked. By releasing a systematically secured application free from major vulnerabilities, you can avoid the risk of failing government compliance laws.
But Jira isn’t a foolproof defect tracking solution, and dev teams still face some teething issues when they start using it. Here are some of the biggest problems developers face:
Security automation has created unbalanced reports
With delivery teams embracing DevSecOps and appsec automation, tools now generate large piles of reports all at once. These tend to be directly tagged as individual tickets for a single developer to remediate. This can lead to an imbalance in tasks among developers, with some being assigned far more bugs to fix than others.
Reports aren’t exactly human-friendly
Vulnerability reports are generated in XML/JSON/CSV/HTML formats which are essentially code and aren’t easy for people unfamiliar with the language to read.
New tickets are raised for every single build
Developers sometimes don’t get the chance to remediate certain vulnerabilities between releases, and subsequent builds of the app might contain older vulnerabilities. Jira has no way of ‘remembering’ these flaws between builds, so when the same one pops in a new scan, a fresh ticket is raised for it. This ends up cluttering the Jira pipeline, requiring someone to manually remove duplicate tickets.
Critical vulnerabilities aren’t always spotted
There’s a good chance that a critical vulnerability may slip through cracks because of improper prioritisation. This isn’t that uncommon, given how different tools can give conflicting severity scores, and manually prioritising them is more error-prone than we’d like to admit.
Now, I’m not the kind of guy to tell you there’s a problem and not give you a way to solve it. And these issues with Jira are very much in the ’solvable’ bracket.
If you didn’t already know about it, Automatic Vulnerability Correlation (AVC) is a process that takes scan results from tools and automatically organises them according to CWE number, severity levels and category. AVC platforms integrate directly with common security tools, making it possible for results to be automatically uploaded and correlated.
Learn more: How vulnerability correlation works
Here’s how AVC can make defect tracking with Jira way more streamlined, efficient and accurate:
Correlating issues as one single ticket
Rather than raising different reports as individual tickets, vulnerability correlation organises multiple related issues into a single issue, which Jira then raises as a single ticket. When you have a bunch of similar vulnerabilities grouped together, it becomes possible to fix multiple flaws at once. Dev teams can save loads of time and effort when remediation becomes more efficient.
Automatic vulnerability prioritisation
Part of the correlation process is assigning severity scores to each vulnerability. AVC platforms feature automatic prioritisation, where scan results are given individual scores to mark how critical they are. Using this, devs can easily distinguish between vulnerabilities that need to be fixed immediately, and those that aren’t as urgent.
Report formats are automatically translated
AVC platforms take the convoluted XML, JSON or other formats generated for a vulnerability report and convert them into simplified metrics that devs can easily make sense of. Using the help of graphs, charts and analytics, security and development teams can quickly make decisions about the vulnerability remediation process.
Detailed information about the issue and the fix
Even after vulnerabilities are correlated, they still need to be fixed. To make remediation much easier, some AVC platforms feature comprehensive metadata about vulnerabilities. These can include like Vulnerable code snippets, Vulnerable endpoints details or a Vulnerable library version. It makes a dev’s life much easier when they have a little bit of help fixing issues in their apps.